On This Page:

Please report an information security incident or any phishing attempts immediately to itprotect@umass.edu.

If you suspect a compromise or unauthorized access to credit card information:
Also contact the campus ecommerce representative immediately (pci@admin.umass.edu) to initiate the appropriate response, pursuant to the acquiring bank and card brand incident response procedures.

More detailed information can be found below.

A ‘data security incident’ is a catch-all term for different types of unauthorized activity involving computing devices and/or sensitive data. Members of the university community can use this page to learn about different types of data security incidents, the appropriate response procedures, and the consequences for mishandling them.

Respond to Data Security Incidents

Data security incidents involving university-owned devices or personal devices containing sensitive university data can have serious consequences. Responding to potential incidents promptly and efficiently helps protect the university's assets (e.g., data, computers, networks) and ensures compliance with state and federal law, and university policy. Please report any phishing attempts or other security incidents immediately to itprotect@umass.edu.

Types of Data Security Incidents

Computing Devices Compromised by Malware (Most Common)
Desktops, laptops, and servers are often infected with malicious software (e.g., viruses, malware). If the infected device contains sensitive university data, this may constitute a data security incident. If a server is compromised, IT Administrators should contact security@umass.edu for instructions.

Computing Devices Accessed without Authorization (Non-Malware)
These include university devices accessed without permission - stolen or compromised credentials (e.g., usernames and passwords), credentials lost to phishing scams, and other attempts to access a device without authorization (e.g., former employees).

Lost or Stolen Computing Devices
These include lost or stolen departmental laptops, USB drives, cell phones, or other devices that may contain sensitive data, or personal computing devices with sensitive university data. Report lost or stolen university-owned devices.

Consequences of Mishandling Data Security Incidents

Under Chapter 93H of the Massachusetts General Law, the university is required to notify those individuals whose personal information may have been compromised as a result of a security breach. Failure to respond to a data security incident appropriately can lead to regulatory fines, legal action, and loss of funding and reputation.

In the event of a confirmed security breach, departments may be held financially responsible for the cost of the breach, lose accreditation, and risk legal action, among other consequences.